kernels, binutils, and stable releases
archaic at linuxfromscratch.org
Mon Apr 18 08:29:55 PDT 2005
On Mon, Apr 18, 2005 at 10:45:12AM -0400, Robert Connolly wrote:
> There was talk before about adding iptables rule sets to each service, like
> sshd. So that rules go up and down with the service. Does that still sound
> like a good plan?
I never was overly convinced of that idea and Dagmar has apperently
abandoned all LFS contact before posting any sort of usable POC. It
seems to me that blocking port 80 (for example) would be a system-wide
policy and not one that required that a daemon that uses port 80 is on
the box. I do believe the rules should be *configured* in each relevant
package's page, but I don't see the need for an overly cumbersome
attachment of hooks just to use those rules. If someone had to have a
modular set of rules, then the main ruleset that sets default policy can
include thoses ala /etc/profile.d type files (/etc/firewall.d?). That
might be nice, though it doesn't actually add or remove any
functionality to the actual running of the firewall, it does allow us to
configure things individually.
Want control, education, and security from your operating system?
Hardened Linux From Scratch
More information about the hlfs-dev